Who should be involved in SSP development besides categorization and control selection?

Developing an SSP requires input from the people who know the system intimately and how it operates. Beyond categorization and control selection, you need to gather information from appropriate personnel who can describe how each control is actually implemented, who is responsible for it, and what procedures are in place. This typically includes system owners, the information system security officer, security engineers, system administrators, and other operational staff. Interviewing these stakeholders helps ensure the SSP accurately reflects real-world practices, responsibilities, and workflows, and that it aligns with policies and risk management decisions. Relying on just one group—such as the system owner alone, external auditors, or vendors—misses critical perspectives on day-to-day operations, implementation details, and risk considerations, making the SSP less accurate and harder to maintain.